Information Security Blog

Tackling Smart Grid Security – Back to Basics

Tackling Smart Grid Security – Back to Basics

energy-information-securitySmart Grid promises to radically change the face of energy technology today; however, along the way, it creates threat vectors that can leave utility companies vulnerable to a whole new realm of attacks. Besides these new threats, utility companies are also affected by the uncertain economic times, thus investments are receiving more scrutiny from local PUCs (Public Utility Commissions), as it becomes increasingly difficult to recover this cost from consumers. Fewer dollars devoted to securing the critical infrastructures and the increase in regulatory compliance enforcement, have security professionals scrambling; utility companies are being forced to trim development and maximize their budgets without extra resources.

Another threat is the lack of enforceable Smart Grid security standards for the power distribution grids; the only enforceable standard being circulated in the industry today, is the NERC CIP standard, which only applies to generation and transmission. There’s no shortage of great guidelines, such as, NISTIR 7628, NIST 800-82 (Industrial Control Systems Security), NIST 800-82 (Industrial Control Systems Security), Cyber Assessment Methods for SCADA Security, Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment, and Security Framework for Control System Data Classification and Protection just to name a few, but the lack of enforceable standards leaves utilities not knowing where to go and confused about which guidelines are appropriate for their needs.

This wait-and-see approach, while Smart Grid technologies are being deployed in the grid, will only make interoperability among these technologies more difficult, as vendors are adopting their own security approaches and proprietary technologies.

What should you do?

Instead of taking the wait-and-see approach and continue deploying insecure devices in your infrastructure, while waiting to see if your vendor decides to implement security into their devices, go “back to basics”.

Identify assets, systems, networks, people and functions that are critical to your business; this information will be important for a risk assessment approach to security. Due to these doubtful economic times, utilities need to be diligent in the way they invest their money, and a risk-based approach is not only diligent, but provides a framework for continuous improvement to enhance protection of critical systems.

The best way to perform your first assessment or verify your current results is to engage a third-party, a consulting company that provides vulnerability and penetration test assessment services, with experience in the utility industry. (Utility experience is one requirement that you should make sure you put on your RFPs.)

Once you have your results, go back to your risk framework and prioritize based on which identified risks will have the most impact to the business if realized. This priority list, along with an educated assessment and justification, will provide management a strategic security plan to improve your security posture and implement a continuous improvement program.

Once your program has been approved, the process of developing and implementing effective protective measures can be broken down into three steps:

  • Determining needs;
    • Analyze your priority list and what tools and programs are needed.
  • Design your security program;
    • Design your protective program approach.
  • Develop your continuous improvement program;
    • Make sure you implement a repeatable strategy.

Last but not least, “measure.” Implementing repeatable processes requires that you measure their effectiveness and continue to improve them.

These steps will assist your organization in improving security while the industry works to find a standard approach that everyone in the energy industry can emulate. Meanwhile, remember this:

Identify – Assess – Prioritize – Implement – Measure

What is your security approach? I would like to hear from you, please leave a comment.


Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

Share This